Aryeh Gregor wrote on 7/22/2009 5:47 PM:
> On Wed, Jul 22, 2009 at 1:56 PM, Bil Corry wrote:
>> The idea here is 'when in doubt, favor the more restrictive option.' There
>> shouldn't be both headers, but if there are, then CSP wins.
>
> Ah, I see, you'd only send one header. Well, it still se
On Wed, Jul 22, 2009 at 1:56 PM, Bil Corry wrote:
> The idea here is 'when in doubt, favor the more restrictive option.' There
> shouldn't be both headers, but if there are, then CSP wins.
Ah, I see, you'd only send one header. Well, it still seems like it
might be a little more confusing to ha
Aryeh Gregor wrote on 7/22/2009 12:38 PM:
> On Wed, Jul 22, 2009 at 1:20 PM, Bil Corry wrote:
>> If it's desirable to add a 'report only' feature to CSP, I'd prefer see a
>> second CSP-related header (X-Content-Security-Policy-ReportOnly???) that
>> implements it rather than adding it to the CSP
On Wed, Jul 22, 2009 at 1:20 PM, Bil Corry wrote:
> If it's desirable to add a 'report only' feature to CSP, I'd prefer see a
> second CSP-related header (X-Content-Security-Policy-ReportOnly???) that
> implements it rather than adding it to the CSP header. The presence of both
> headers (CSP a
Aryeh Gregor wrote on 7/21/2009 5:34 PM:
> If we could do reports only, then we would probably publish the data
> live in some form, yes.
If it's desirable to add a 'report only' feature to CSP, I'd prefer see a
second CSP-related header (X-Content-Security-Policy-ReportOnly???) that
implements
I'm CCing wikitech-l here for broader input, since I do think
Wikipedia would be interested in adopting this but I can't really
speak for Wikipedia myself. The history of this discussion can be
found in the archives:
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-July/021133.html
I thi
On Fri, Jul 17, 2009 at 6:21 PM, Brandon Sterne wrote:
> No, that feature is not part of the current design, though nothing is
> set in stone. Couldn't you achieve the same effect (verifying your
> policy isn't blocking wanted things) by simply testing the pages in a
> CSP-supporting browser and w
On Thu, Jul 16, 2009 at 2:25 PM, Aryeh Gregor wrote:
> Is there support in the spec for pinging the report-uri on violations,
> but still allowing the violation to go through? That could allow much
> easier deployment, so that you could verify that your policy wasn't
> blocking anything legitimate
On Thu, Jul 16, 2009 at 4:25 PM, Jonas Sicking wrote:
> We've actually proposed it to the webapps list, but got little to no
> response. I'm not sure if we at this time have anyone that would have
> the resources to offer to be editor for a W3C CSP spec, if any of the
> WGs there are interested to
On Wed, Jul 15, 2009 at 6:48 PM, Aryeh Gregor wrote:
> On Wed, Jul 15, 2009 at 9:24 PM, Jonas Sicking wrote:
>> Note that Content Security Policies[1] can be used to deal with
>> clickjacking. So far we've gotten a lot of positive feedback to CSP
>> and are in progress of implementing it in firefox
On Thu, 16 Jul 2009 03:48:41 +0200, Aryeh Gregor
wrote:
On Wed, Jul 15, 2009 at 9:24 PM, Jonas Sicking wrote:
Note that Content Security Policies[1] can be used to deal with
clickjacking. So far we've gotten a lot of positive feedback to CSP
and are in progress of implementing it in firefox.
On Wed, Jul 15, 2009 at 10:18 PM, Aryeh Gregor wrote:
> I haven't seen it discussed here, but maybe it has been and I didn't
> see or don't remember. Although Ian might not want to consider it for
> HTML 5 without vendor agreement, I'd think that a separate working
> group could be set up (or an e
On Wed, Jul 15, 2009 at 9:53 PM, Jeremy Orlow wrote:
> Didn't Ian, 2 messages back, suggest that vendors experiment and bring their
> results back to the table at a later date? Or has CSP never been discussed
> here?
I haven't seen it discussed here, but maybe it has been and I didn't
see or don'
On Wed, Jul 15, 2009 at 6:48 PM, Aryeh Gregor
> wrote:
> On Wed, Jul 15, 2009 at 9:24 PM, Jonas Sicking wrote:
> > Note that Content Security Policies[1] can be used to deal with
> > clickjacking. So far we've gotten a lot of positive feedback to CSP
> > and are in progress of implementing it in
On Wed, Jul 15, 2009 at 9:24 PM, Jonas Sicking wrote:
> Note that Content Security Policies[1] can be used to deal with
> clickjacking. So far we've gotten a lot of positive feedback to CSP
> and are in progress of implementing it in firefox. So it's a possible
> solution to this.
Is Mozilla plann
On Wed, Jul 15, 2009 at 5:26 PM, Ian Hickson wrote:
>
> There have been a number of discussions about clickjacking,
> X-Frame-Options, and other proposals.
>
> Nobody I've spoken to seems especially happy with X-Frame-Options, and
> none of the other proposals have yet gotten serious traction.
>
>
On Mon, 23 Feb 2009 14:23:40 +0100, Giorgio Maone
wrote:
On Fri, 20 Feb 2009 19:36:47 +0100, Bil Corry wrote:
Sigbjørn Vik wrote on 2/20/2009 8:46 AM:
One proposed way of doing this would be a single header, of the form:
x-cross-domain-options: deny=frame,post,auth; AllowSameOrigin;
allow=
On Fri, 20 Feb 2009 19:36:47 +0100, Bil Corry wrote:
Sigbjørn Vik wrote on 2/20/2009 8:46 AM:
One proposed way of doing this would be a single header, of the form:
x-cross-domain-options: deny=frame,post,auth; AllowSameOrigin;
allow=*.opera.com,example.net;
This incorporates the idea from the
On Fri, 20 Feb 2009 19:36:47 +0100, Bil Corry wrote:
Sigbjørn Vik wrote on 2/20/2009 8:46 AM:
One proposed way of doing this would be a single header, of the form:
x-cross-domain-options: deny=frame,post,auth; AllowSameOrigin;
allow=*.opera.com,example.net;
This incorporates the idea from the
Sigbjørn Vik wrote on 2/20/2009 8:46 AM:
> One proposed way of doing this would be a single header, of the form:
> x-cross-domain-options: deny=frame,post,auth; AllowSameOrigin;
> allow=*.opera.com,example.net;
> This incorporates the idea from the IE team, and extends on it.
Have you taken a loo
On Fri, 20 Feb 2009 16:00:09 +0100, Giorgio Maone
wrote:
Sigbjørn Vik wrote, On 20/02/2009 15.46:
There is currently little protection against clickjacking, the
x-frame-options is the first attempt.
Nope, it's the second and weakest:
http://hackademix.net/2008/10/08/hello-clearclick-goodbye
Sigbjørn Vik wrote, On 20/02/2009 15.46:
There is currently little protection against clickjacking, the
x-frame-options is the first attempt.
Nope, it's the second and weakest:
http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/
http://noscript.net/faq#clearclick
--
Giorgio M
22 matches
Mail list logo
